Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Bad effects of blocking IPv6 ping  (Read 4036 times)

evantkh

  • Full Member
  • ***
  • Posts: 122
Bad effects of blocking IPv6 ping
« on: June 14, 2015, 06:11:15 AM »
As I know, blocking all ICMPv6 is a bad idea as it may cause connectivity issues.
In my setup, I would like to only open things(e.g. some TCP ports, UDP ports) that I really need to use, leaving all other thing dropped unless allowed by ip6tables connection tracking with allowing ESTABLISHED,RELATED traffic.
In this case, the server will not be pingable using ICMPv6 echo request from the internet. Will it cause other issues?
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2706
Re: Bad effects of blocking IPv6 ping
« Reply #1 on: June 14, 2015, 07:09:28 AM »
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122
Re: Bad effects of blocking IPv6 ping
« Reply #2 on: June 14, 2015, 10:26:20 PM »
Logged

kriteknetworks

  • Sr. Member
  • ****
  • Posts: 260
    • aRDy Music
Re: Bad effects of blocking IPv6 ping
« Reply #3 on: June 15, 2015, 05:30:49 AM »
What do you gain by blocking icmp6?
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: Bad effects of blocking IPv6 ping
« Reply #4 on: June 15, 2015, 08:20:34 AM »
block type 139/140, and rate limit the rest. problem solved.
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122
Re: Bad effects of blocking IPv6 ping
« Reply #5 on: June 15, 2015, 08:21:50 AM »
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?

I want to block everything, allowing only outbound connectivity.
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122
Re: Bad effects of blocking IPv6 ping
« Reply #6 on: June 15, 2015, 08:29:16 AM »
Quote from: broquea on June 15, 2015, 08:20:34 AM
block type 139/140, and rate limit the rest. problem solved.

What are the bad effects of blocking echo request?

In my current setup, I can ping outside, LAN devices can ping each other, but outside cannot ping inside.
« Last Edit: June 15, 2015, 08:39:08 AM by evantkh »
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122
Re: Bad effects of blocking IPv6 ping
« Reply #7 on: June 15, 2015, 08:55:32 AM »
Quote from: broquea on June 15, 2015, 08:20:34 AM
block type 139/140, and rate limit the rest. problem solved.

I forgot to mention that I am using a stateful firewall, not the stateless one.
Is it good to use ip6tables connection tracking instead of exposing the inbound icmpv6 connectivity to the internet?
Logged

kriteknetworks

  • Sr. Member
  • ****
  • Posts: 260
    • aRDy Music
Re: Bad effects of blocking IPv6 ping
« Reply #8 on: June 15, 2015, 11:18:12 AM »
Quote from: evantkh on June 15, 2015, 08:21:50 AM
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?

I want to block everything, allowing only outbound connectivity.

You already said this. You didn't answer my question. What do you gain by blocking icmp6?
Logged

evantkh

  • Full Member
  • ***
  • Posts: 122
Re: Bad effects of blocking IPv6 ping
« Reply #9 on: June 15, 2015, 07:18:28 PM »
Quote from: kriteknetworks on June 15, 2015, 11:18:12 AM
Quote from: evantkh on June 15, 2015, 08:21:50 AM
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?

I want to block everything, allowing only outbound connectivity.

You already said this. You didn't answer my question. What do you gain by blocking icmp6?

I am not specifically against having icmp6 open, but I am against having anything open. This will lead to devices not pingable from the internet and people said that blocking ping(echo request) is a bad idea and without explaining how it affects icmp6 error signalling, and the icmp6 type is not the same as echo request.
Logged